SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Problem Dynamic VPN. Correctly connected, Correctly policy and NAT but, NO able to reach private net.

Jump to Best Answer
  • 1.  Problem Dynamic VPN. Correctly connected, Correctly policy and NAT but, NO able to reach private net.

    Posted 04-27-2018 02:14

    Hi,

    last week I configured one dynamic VPN profile for VPN client access.

    It was working perfectly, Smiley Happy  but after one weekend of changes, I came back to re-connect in VPN from remote location and I found that VPN clients are not any longer able to connect on internal resources.

    In the specific:

    1) Pulse is connected correctly

    2) Connecting on internal resources are not working.

     

    Extract of the configuration:

    set security dynamic-vpn access-profile remote_access_profile
    set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.0.0.0/8
    set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn
    set security dynamic-vpn clients wizard-dyn-group user vpn123
    
    set access profile remote_access_profile client test123 firewall-user password "$9$Lyoxdb4aUji.hSlvW8dV/9A0IcLX-w2aFnRSeWN-4oJGjq/9pOBE"
    set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool
    set access address-assignment pool dyn-vpn-address-pool family inet network 172.16.0.0/24
    set access address-assignment pool dyn-vpn-address-pool family inet range d-range low 172.16.0.150
    set access address-assignment pool dyn-vpn-address-pool family inet range d-range high 172.16.0.200
    set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 10.20.20.100/32
    set access firewall-authentication pass-through default-profile remote_access_profile
    set access firewall-authentication web-authentication default-profile remote_access_profile
    
    set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 from zone CONTACT-INSIDE
    set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 to zone INTERNET
    set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 rule NO_NAT-VPN_Client match source-address-name vpn-clinet_net
    set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 rule NO_NAT-VPN_Client match destination-address-name HQ_net
    set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 rule NO_NAT-VPN_Client then source-nat off
    
    set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin match source-address any
    set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin match destination-address any
    set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin match application any
    set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin then permit tunnel ipsec-vpn wizard_dyn_vpn
    set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin then log session-close
    set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin then count
    

    Maybe more relvant, (but I didn't find something of specific), is the debug trace log:

    Apr 27 11:48:52 11:48:52.496206:CID-0:RT:jsf sess close notify
    
    Apr 27 11:48:52 11:48:52.496206:CID-0:RT:flow_ipv4_del_flow: sess 7775, in hash 32
    
    Apr 27 11:48:52 11:48:52.496206:CID-0:RT:flow_ipv4_del_flow: sess 7775, in hash 32
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:<172.16.0.165/33539->10.10.10.254/1;1> matched filter filter1:
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:packet [60] ipid = 17960, @0x43e77e5a
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 1, common flag 0x0, mbuf 0x43e77c00, rtbl_idx = 0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow process pak, mbuf 0x43e77c00, ifl 0, ctxt_type 1 inq type 6
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: in_ifp <junos-host:.local..0>
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x67099470
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:host inq check inq_type 0x6
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:tifp NULL
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:pkt out of tunnel.Proceed normally
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  pp0.0:172.16.0.165->10.10.10.254, icmp, (8/0)
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: find flow: table 0x5db6db28, hash 39479(0xffff), sa 172.16.0.165, da 10.10.10.254, sp 33539, dp 1, proto 1, tok 16395
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  no session found, start first path. in_tunnel - 0x6027cdf8, from_cp_flag - 0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  flow_first_create_session
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:First path alloc and instl pending session, natp=0x600ae428, id=5614
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  flow_first_in_dst_nat: in <pp0.0>, out <N/A> dst_adr 10.10.10.254, sp 33539, dp 1
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  chose interface pp0.0 as incoming nat if.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.10.10.254(1)
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_routing: vr_id 4, call flow_route_lookup(): src_ip 172.16.0.165, x_dst_ip 10.10.10.254, in ifp pp0.0, out ifp N/A sp 33539, dp 1, ip_proto 1, tos 0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:Doing DESTINATION addr route-lookup
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_ipv4_rt_lkup success 10.10.10.254, iifl 0x55, oifl 0x46
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  routed (x_dst_ip 10.10.10.254) from INTERNET (pp0.0 in 0) to vlan.10, Next-hop: 10.10.10.254
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_policy_search: policy search from zone INTERNET-> zone CONTACT-INSIDE (0x0,0x83030001,0x1)
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:Policy lkup: vsys 0 zone(11:INTERNET) -> zone(6:CONTACT-INSIDE) scope:0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:             172.16.0.165/2048 -> 10.10.10.254/51799 proto 1
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  permitted by policy VPN_Admin(41)
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  packet passed, Permitted by policy.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_src_xlate:  incoming src port is : 33539.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 4/0, pst_nat: False.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  dip id = 0/0, 172.16.0.165/33539->172.16.0.165/33539 protocol 0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  choose interface vlan.10(P2P) as outgoing phy if
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.10, addr: 10.10.10.254, rtt_idx:4
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:-jsf : Alloc sess plugin info for session 4294972910
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: Allocating plugin info block for plugin(6)
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF] set ext handle 0x562a62a0 for plugin 6 on session 4294972910
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF]Plugins(0x40, count 1) enabled for session = 4294972910, impli mask(0x0), post_nat cnt 0 svc req(0x5)
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF]c2s order list:
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:               6
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF]s2c order list:
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:               6
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_service_lookup(): natp(0x600ae428): app_id, 0(0).
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  service lookup identified service 0.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  flow_first_final_check: in <pp0.0>, out <vlan.10>
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:In flow_first_complete_session
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_complete_session, pak_ptr: 0x5c4f9e40, nsp: 0x600ae428, in_tunnel: 0x6027cdf8
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:construct v4 vector for nsp2
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  existing vector list 0x8284-0x5611b168.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  Session (id:5614) created for first pak 8284
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:first pak processing successful
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  flow_first_install_session======> 0x600ae428
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: nsp 0x600ae428, nsp2 0x600ae4b8
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  make_nsp_ready_no_resolve()
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  reverse route is optional
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:Doing jsf sess create notify
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:-jsf create notify: plugin id  6. rc 3
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_do_jsf_notify_session_creation(): natp(0x600ae428): 0 SHORT_CIRCUITED: 0x00000000.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:no need update ha
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:Installing s2c NP session wing
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:first path session installation succeeded
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  flow got session.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  flow session id 5614
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: vector bits 0x8284 vector 0x5611b168
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: ****jsf svc chain: sess id 5614, dir 1, nat_done 0, pak pid 0, first pid 6
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: plugin name junos-jdpi. action JSF_SESSION_ACTION_NONE, stbuf 0x0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: jsf sess id ignore. sess 5614, pid 6, dir 1, st_buf 0x0.
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT: jsf sess id ignore. sess 5614, pid 6, dir 2, st_buf 0x0.
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:All plugins have ignored session :5614
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:  existing vector list 0x8204-0x5611b1c8.
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:  existing vector list 0x8204-0x5611b1c8.
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:PKT-PROC for plugin junos-jdpi jbuf 0x608d6b50, sess jsf flags 0x0, rc 0
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:  encap vector
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:  no more encapping needed
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:mbuf 0x43e77c00, exit nh 0x110010
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x5c4f9e40 associated with mbuf 0x43e77c00
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:<10.10.10.254/1->172.16.0.165/33539;1> matched filter filter2:
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:packet [60] ipid = 40725, @0x43e8a79a
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43e8a580, rtbl_idx = 4
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT: flow process pak fast ifl 70 in_ifp vlan.10
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:  vlan.10:10.10.10.254->172.16.0.165, icmp, (0/0)
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT: find flow: table 0x5db6db28, hash 11247(0xffff), sa 10.10.10.254, da 172.16.0.165, sp 1, dp 33539, proto 1, tok 16390
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:Found: session id 0x15ee. sess tok 16390
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:  flow got session.
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:  flow session id 5614
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:no fto but skip rerouting since route is optional
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT: vector bits 0x8204 vector 0x5611b1c8
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:ttl vector, out_tunnel = 0x6027cdf8
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:pre-frag not needed: ipsize: 60, mtu: 1422, nsp2->pmtu: 1422
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:  encap vector
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:  going into tunnel 67108881 (nsp_tunnel=0x6027cdf8).
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:  flow_encrypt: tun 0x6027cdf8, type 1
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:lpak_init: lpak 0x5c775d18, paksize 60, machdr 0x0, iphdr 0x43e8a79a
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT: ----- flow_process_pkt rc 0x11 (fp rc 0)

    Any suggestion for solve this problem?

     

    Many regards


    #dynamicVPN
    #vpnclient
    #SRX110


  • 2.  RE: Problem Dynamic VPN. Correctly connected, Correctly policy and NAT but, NO able to reach private net.
    Best Answer

    Posted 04-27-2018 02:41

    UPDATE:

    Unbelivable, but something was wrong on my windows machine or pulse secure vpn client!

    I used one other PC with same Pulse Secure version and it's working correctly!! (obliviusly same configuration on the SRX)

    Uninstal and re-install software on my client and the VPN started once again!!!

     

    Then, in case it's appenning also to you... Troubleshoot first client pulse 😉

     

    Bye